Science & Research

A Password So Secure, You Don't Even Know What It Is

There are two problems with a password. The first is that you can forget it. The second is that you know it and someone else can get you to cough it up. As any hacker knows, people are usually the weakest link in any security system. We’re trusting, gullible, and, if trickery fails, there’s always blackmail or violence—the term for this sort of coercive code-cracking is rubber hose cryptanalysis.

But what if you weren’t able to tell someone else your password, even if you really wanted to? What if it was a secret even to you? No amount of the rubber hose treatment would be able to extract it. It sounds like an impossibility, but in a paper that will be presented at this week’s USENIX Security Symposium, a team of computer scientists and neuroscientists working together have created just such a password.

The method is based on something called “implicit learning,” the fact that human beings can learn things without being conscious of it. Think of riding a bike—you can do it effortlessly, but you’d be hard-pressed to explain how. Stroke victims or Alzheimer’s sufferers can learn things implicitly even when their explicit memory is severely damaged.

The researchers took advantage of implicit learning to teach subjects a sequence of 30 letters—the subjects played an online game similar to Guitar Hero, where players hit the notes that scroll toward them on the screen. Instead of notes played on a toy guitar, these test subjects hit letter keys on a computer keyboard, and were timed on how fast and accurate they were. Unbeknownst to them, the letters they were typing spelled out the password sequence. Over the course of the 45-minute game, they saw the password sequence almost 200 times, mixed in with other sequences of letters. (As games go, it’s no Halo.) As the test subjects played the game and saw the sequence over and over, they got faster at typing it.

To ask for the password, the researchers had the subjects play the game later, with the password sequence again mixed in among other sequences of letters. Because their fingers had unconsciously learned the key sequence, the subjects were reliably faster at the game when that 30-letter sequence was presented than when other sequences were. That edge proved they had been trained on that sequence, and proved, therefore, who they were—the same way a password or fingerprint does.

What’s striking is that the subjects, when asked, couldn’t say what the password sequence was—in fact the subjects were barely able to recognize it when they saw it. But they had learned it implicitly. On average the researchers found the subjects were able to get through the key sequence 10 percent faster than the other ones. That’s not an enormous difference, but enough to reliably spot the training. And it lasts: There’s some drop-off in how quickly the test subjects got through the key sequence after a couple of weeks, but not too much. Again, it’s like riding a bike.

The research is still some way off from actually being used by spies—or, for that matter, corporate IT departments. A 45-minute test is a lot less efficient than just telling someone a password or scanning one’s fingerprint. According to Daniel Sanchez, a cognitive scientist at Northwestern University and one of the authors of the paper, the next step is to streamline the process, using shorter sequences and shorter training.

Perhaps the most intriguing advantage the method has is that it also actively defeats efforts to try to discover the password. Say a spy fell into the clutches of his enemies, and they tried to ferret out the password locked in his unconscious. His captors, if they were clever, could try to reverse engineer the password by having the spy play the game, inserting different combinations of letters to see if he was particularly fast at them. The problem with that approach, however, is that in testing him on those sequences his captors would just be teaching him those sequences, so he’d get faster at those, too. The effort to extract the password, in other words, would just bury it.